A quick analysis of the Gizmo Project's integration with Asterisk


I came across an article detailing how to use the Gizmo project client to dial through Asterisk when the big boss wanted to know if this looked like something nice for our customers. Initially, the Gizmo looks like an ordninary SIP client, but I noticed the REGISTER didn't come from a known IP address. Below is a small diagram of what seems to happen.
  • At the time of initial login, the Gizmo contacts 198.65.166.170 and talks a bit over HTTPS, so it's pretty impossible to guess what the talk is about. Then follows some STUN taffic, some jabber stuff, and some more https.
  • All SIP communication is with proxy01.sipphone.com, relaying it to the Asterisk server.
  • RTP Traffic was sent through 213.198.65.201, a box in Germany.
Conclusion
I don't like this. What is this HTTPS traffic? Why doesn't the client communicate directly with asterisk? It looks like they want to allow themself to monitor traffic in case they want to. The fact that it is sub-optimal to add latency by sending RTP across Europe is on thing, but what's worse is why they're doing it in the first place.

Follow-up
I got the following answer from Prasad Mahendra from sipphone.com, so I thought I should show it in the article:

  Roy, I came across this article on the web (http://karlsbakk.net/asterisk/gizmo-project.php) and I can explain Gizmo's behavior and perhaps alleviate some of your concerns
  • Use of HTTPS: Gizmo uses http/https to log in and configure itself which is necessary for it to discover the proxy, relays etc it should use which are distributed world-wide.
  • We use RTP relays whenever peer to peer communication is not possible (for example if you are behind a symmetric NAT). This is necessary or gizmo will be broken/will not work for a significant % of users. (Perhaps this is irrelevant for asterisk since asterisk proxies all media? Supporting a secondary SIP service in general however is a different story and we need to fully take care of NAT traversal).
  • Secondary Login (asterisk etc) SIP signals are routed through our proxy for (a) call history recording in gizmo (so that you can log in with your asterisk user/pass anywhere and have your call history with you on gizmo) (b) for NAT traversal
Hope this answers your questions/concerns. Let us know your thoughts/suggestions.

Prasad Mahendra

[Engineering]
 
My answer...
 
  Hi

Thank you for the answer. It has been added inn full to the article about your system, as to inform the community of your concerns.

I still fear some people, myself among them, will refrain from using your system, since sending private data across the world is a security risk not worth taking. You may consider adding an option in allowing the user the choice of whether or not to send private data through your system.

roy

Roy Sigurd Karlsbakk